On January 16, 2020, the FDIC and OCC issued a joint statement (FDIC FIL-3-2020 , OCC Bulletin 2020-5) to remind banks of sound cybersecurity risk management principles. The statement observes, “Cyber actors often use malware to exploit weaknesses in a [bank’s] computers or networks. They often obtain access to financial institution systems and networks by compromising user credentials and introducing malware through social engineering [bank] employees and contractors with phishing or spear phishing attacks.”
The Joint Statement focuses on six key aspects of cybersecurity risk management, which we summarize as follows:
Response, Resilience, and Recovery Capabilities. Maintain comprehensive, documented, and current incident and business resilience plans that include responding to and recovering from a destructive cyber attack. One consideration is the use of cyber insurance as part of a broader risk management strategy.
Identity and Access Management. Use and validate the effectiveness of authentication controls, such as multifactor authentication, to segment and safeguard access to critical systems and data on the network.
Network Configuration and System Hardening. Review the appropriateness of default system settings, change default user profiles, configure security settings, implement security monitoring tools, and apply security updates and system patches.
Employee Training. Ongoing employee training on recognizing cyber threats, phishing, and suspicious links.
Security Tools and Monitoring. Use qualified cybersecurity staff or provider to actively monitor systems for network threat and vulnerability information available from industry sources.
Data Protection. Maintain a data classification program to identify sensitive and critical data. Encrypt or tokenize sensitive and critical data in transit and at rest.
The Joint Statement is the latest in a growing line of cybersecurity regulations applicable to banks. For a discussion of relevant guidelines, see L&R’s latest article, Robert W. Ludwig, Salvatore Scanio, and Joseph Szary, Technology and Salvage: Using Social Media in Recovery and Allocating Cybercrime Funds Transfers to Third Parties, Am. Bar Ass’n, Tort Trial & Insurance Practice Section, Fidelity and Surety Law 2020 Midwinter Conference, Jan. 31, 2020, at 25-30.
Like other banking agency guidelines, the Joint Statement also expands the guideposts for evaluating whether bank security procedures are commercially reasonable under UCC Article 4A. See, e.g., Patco Constr. Co., Inc. v. People’s United Bank, 684 F.3d 197, 201-04 (1st Cir. 2012).
For further information, contact Salvatore Scanio at sscanio@ludwigrobinson.com or 202-289-7605.